Most hospitality venues have no idea they are legally required to log guest Wi-Fi activity. Here is what the law actually says, what the real risks are, and how to fix it without any extra admin.
Hospitality Angle
The Problem
Offering open or password-only Wi-Fi with no usage policy and no activity logging leaves your venue legally exposed and your guests without any clear boundaries.
What You’ll Learn
What UK law requires, what a usage policy actually protects you from, and how Fydelia handles all of it automatically at the point of guest login.
Where We Fit
Carden Hotspots installs and configures Fydelia so your compliance logging, usage policy acceptance, and guest data handling are all built in from day one.
Best For
Any UK hospitality venue offering guest Wi-Fi โ hotels, restaurants, pubs, cafรฉs, spas, B&Bs, and event venues.
Three Things to Know Before You Read On
- UK law requires venues offering public Wi-Fi to retain connection logs for 12 months โ most hospitality businesses are not doing this and are unaware of the requirement
- A guest Wi-Fi usage policy accepted at login creates a timestamped record that can help protect your venue if something goes wrong on your network
- Fydelia handles both requirements automatically at the point of connection โ no manual logging, no paper forms, no admin overhead
Updated: 2025-07-01
Key sources:ย Investigatory Powers Act 2000 (RIPA)ย ย ยทย ย Investigatory Powers Act 2016ย ย ยทย ย ICO GDPR Guideย ย ยทย ย Fydelia Features
The Real Situation for Most Venues
Walk into almost any UK pub, cafรฉ, hotel, or restaurant and ask for the Wi-Fi. You will probably get a password scrawled on a chalkboard, printed on a receipt, or shown on a card by the till. You type it in, you are online. Done.
No login page. No usage terms. No record that you connected. No mechanism to flag if you then use that connection for something the venue would never want associated with their name.
This is the default state for the majority of UK hospitality venues. And while it feels harmless โ because most guests are doing nothing more sinister than checking Instagram โ it creates a genuine legal gap that most owners simply do not know exists.
โ ๏ธWithout Fydelia โ Typical Setup
Shared password on a chalkboard. Anyone who knows it can connect. No log of who connected or when. No usage policy accepted. No record exists if something goes wrong. If law enforcement requests connection data, you have nothing to provide โ and that absence itself may become a problem.
โWith Fydelia โ Compliant Setup
Every guest logs in through a branded splash page, accepts a usage policy, and provides an email address. Fydelia logs the connection with a timestamp. That record is stored and can be retrieved if needed. Your venue is demonstrably operating a managed, responsible network.
Why It Matters โ The Risks of Doing Nothing
The risks here are not theoretical, but they are also not the same for every venue. A clear-eyed view helps you decide how seriously to take this.
The legal exposure
Under the Investigatory Powers Act 2016 and its predecessor the Regulation of Investigatory Powers Act 2000, organisations that provide public communications services โ which includes public Wi-Fi in a hospitality venue โ can be required by law enforcement to retain and produce communications data. If your network is used in connection with a criminal investigation, you may be asked to produce logs showing who was connected and when.
If you have no logs, you cannot produce them. Whether that creates a problem for your venue depends on the specific circumstances, and you should take legal advice if you are concerned. The point here is simply that the legal framework exists, the requirement to retain data is real, and most venues are not meeting it.
The reputational exposure
Open Wi-Fi with no usage policy also creates a softer but equally real risk. If your network is used to download illegal content, send threatening messages, or conduct online fraud, your venue’s IP address is the one that appears in logs. You were not responsible โ but without a timestamped record showing the guest’s accepted terms and login details, demonstrating that becomes harder.
Important Caveat
This page is not legal advice. The regulatory picture around public Wi-Fi is nuanced and has evolved over time. The frameworks referenced here (RIPA, IPA 2016, UK GDPR) are real and in force, but how they apply to your specific venue and circumstances is a question for a solicitor. What Fydelia provides is a practical, automated logging and consent mechanism โ it is a reasonable step, not a guaranteed legal shield.
The GDPR angle
If you are capturing guest email addresses at Wi-Fi login โ which Fydelia does as part of building your marketing list โ you are processing personal data under UK GDPR. That means you need a clear privacy policy, a lawful basis for processing, and a mechanism to handle data subject requests. Fydelia is designed with GDPR compliance in mind, but the responsibility for how you use and store guest data ultimately rests with you as the data controller.
What Fydelia Does About It
Fydelia addresses the compliance gap automatically and without any ongoing admin from your team. Here is how each element works in practice.
Usage policy acceptance at every login
Every guest who connects sees a splash page with a usage policy checkbox before they can access the internet. They cannot skip it. When they tick the box and connect, Fydelia logs the timestamp, the device identifier, and the email address they provided. That record is stored in your Fydelia dashboard and can be retrieved if needed.
Email verification before access
Fydelia verifies that email addresses are genuine before granting access. This means your connection logs contain real, validated contact data โ not throwaway addresses that lead nowhere. For compliance purposes, a verified email linked to a connection log is considerably more useful than an unverified one.
Session and connection data retention
Connection records are retained within the Fydelia platform and accessible from the cloud dashboard. You do not need to run your own server, manage local databases, or remember to export logs. The data is there when you need it.
GDPR-aligned consent flows
Fydelia separates Wi-Fi access consent from marketing consent. A guest who ticks the usage policy box is granting consent to access your network under your terms. A separate, optional opt-in handles marketing communications. These are kept distinct, which is important for GDPR compliance โ conflating them (making marketing consent a condition of Wi-Fi access) is not compliant.
At a Glance โ What Fydelia Provides
Logging
Automatic timestamped connection records for every guest login
User ID
Verified email address captured and linked to each session
Policy
Usage policy acceptance recorded at every connection
GDPRS
eparate opt-in for marketing, distinct from network access consent
Storage
Records held in cloud dashboard, retrievable on demand
Admin
Zero ongoing admin โ everything runs automatically once configured
Practical Steps by Venue Type
The compliance requirements are the same regardless of venue type, but the practical starting point varies. Here is what the sensible next step looks like for each setting.
Hotels
Prioritise logging and GDPR
High guest turnover means a large volume of connection events daily. Automated logging is particularly important, and the GDPR marketing consent flow feeds directly into your CRM and email campaigns. Review your current privacy policy to ensure it covers guest Wi-Fi data.
Restaurants & Pubs
Replace the chalkboard password
The shared-password setup is the most common non-compliant configuration in food and beverage settings. A captive portal login replaces it entirely. Guests still connect easily; you just have a record of who did.
Cafรฉs
Add session limits too
Compliance and dwell-time management go hand in hand for cafรฉs. The captive portal that handles the usage policy can also set session time limits โ addressing two problems at once. (More on this in Page 3: The One-Coffee-All-Day Problem.)
B&Bs
A simple policy goes a long way
Smaller venues often feel the compliance question is less relevant to them. The risk is proportionally smaller, but the fix is equally simple. A basic splash page with a usage policy and email capture takes an afternoon to configure and runs automatically thereafter.
Spas & Wellness
Match the guest experience
In a premium guest environment, the compliance mechanism should feel like part of the welcome experience โ not a bureaucratic hurdle. A well-designed Fydelia splash page can reinforce your brand while handling the policy acceptance invisibly.
Multi-Site Groups
Standardise across all locations
Inconsistent compliance across sites is a real risk for groups. Fydelia’s centralised dashboard lets you manage and update the usage policy and logging configuration across all venues from one place, ensuring every location meets the same standard.
Quick Check
If you want to see how your current Wi-Fi performs before considering any changes to the setup, you can speed test your Wi-Fi using fast.com โ it takes 30 seconds and gives you a useful baseline of what guests are actually experiencing. A compliance overhaul is a natural moment to also review performance.
What to Watch Next
The regulatory landscape around public Wi-Fi in the UK is relatively stable but not static. A few things are worth keeping an eye on.
ICO enforcement patterns. The Information Commissioner’s Office periodically publishes enforcement actions and guidance that clarify expectations around public Wi-Fi and data capture. If you are capturing guest data via a captive portal, it is worth reviewing the ICO’s guidance on legitimate interests and consent at least once a year. The ICO website is the primary source for this.
UK GDPR divergence. Since leaving the EU, the UK has had the ability to diverge from EU GDPR. Significant changes have not materialised yet, but the UK government has signalled interest in reforming parts of the data protection framework. Any substantial changes would affect how consent flows in Fydelia need to be configured โ though the fundamental requirement to handle guest data responsibly is unlikely to change.
Fydelia platform updates. Fydelia updates its compliance features as regulations evolve. If you are already a Fydelia customer through Carden Hotspots, compliance-related platform changes are covered as part of the managed service. You do not need to track these updates yourself.
Frequently Asked Questions
More general questions about Carden Hotspots installations? Read our FAQs.
Is it actually illegal to offer Wi-Fi without a usage policy?
The short answer is: not straightforwardly illegal in the way that, say, serving alcohol without a licence is illegal. The legal picture is more nuanced. The Investigatory Powers Act 2016 creates obligations around communications data retention, and GDPR creates obligations around personal data handling. Whether your specific venue is in breach of either depends on the details of your setup and how you handle data.
What is clear is that offering unmanaged Wi-Fi with no logging and no usage policy is a weaker position than having those things in place. If something goes wrong on your network, having no records makes your situation harder to manage. This page is not legal advice โ if you have specific concerns, speak to a solicitor.
What exactly does Fydelia log, and how long is it kept?
Fydelia logs the email address provided at login, the device identifier, the date and time of connection, and the acceptance of your usage policy. Records are retained within the Fydelia cloud platform and are accessible from your dashboard. For specific data retention periods and settings, check directly with Fydelia or discuss with Carden Hotspots as part of your configuration โ the platform can be configured to align with your retention policy.
What if a guest gives a fake email address?
Fydelia verifies that email addresses are syntactically valid and that the domain exists before granting access. This filters out obvious throwaway entries. It is not a perfect solution โ a determined person using a legitimate-looking fake address would still get through โ but it is considerably better than accepting any string typed into a field. From a logging perspective, a verified-format email linked to a timestamped connection is a reasonable record.
Can we use social login (Facebook, Google) instead of email?
Yes. Fydelia supports social media login as an alternative to email. From a compliance perspective, social login still provides a user identifier linked to the connection, which serves a similar purpose to email capture. The GDPR picture is slightly different โ you are receiving data from a third-party platform rather than directly from the guest โ so it is worth reviewing the data handling implications if social login is your primary method.
Does Fydelia’s usage policy need to be written by a solicitor?
Fydelia provides template usage policy text that covers the standard provisions โ acceptable use, prohibited activities, liability limitations, and so on. For most hospitality venues, a sensible template is a reasonable starting point. If your venue has specific concerns โ large-scale public events, venues that attract particularly high-risk use cases, or group legal requirements โ having a solicitor review the final text is a sensible precaution. Carden Hotspots can advise on the configuration; the legal review of the policy text itself is your responsibility.
How do we handle a subject access request from a guest under GDPR?
If a guest submits a subject access request, you are required to provide them with the personal data you hold about them within one month. Fydelia’s dashboard allows you to search for and export connection records associated with a specific email address. This makes fulfilling an SAR straightforward from a Wi-Fi data perspective. You will also need to consider any other data you hold about that guest across your wider systems (CRM, booking platforms, EPOS, etc.).
We already have a terms and conditions page on our website. Is that enough?
No. A static page on your website that guests may or may not have read is not the same as a record of a specific guest accepting specific terms at a specific time before using your network. The value of the Fydelia approach is the timestamped acceptance record created at the point of connection โ that is the thing that matters for compliance purposes, not the existence of a document somewhere on your site.
Need Help Getting Your Wi-Fi Compliant?
If your venue is currently running an unmanaged Wi-Fi network with no usage policy and no connection logging, the fix is not complicated. It does not require replacing your hardware, and it does not create any noticeable friction for your guests. It takes an installation visit and a configuration session.
Carden Hotspots handles the full process โ surveying your existing network, installing Fydelia, configuring the splash page and usage policy, and providing ongoing support for both the hardware and the platform. You do not need to manage separate suppliers or navigate the Fydelia setup yourself.
For more examples of how this has worked in practice at real venues, check our case studies.
Let’s make your guest Wi-Fi compliant โ and useful
A short call is all it takes to understand your current setup and what a properly configured Fydelia deployment would look like for your venue. No pressure, just an honest conversation.
Let’s Talk! Back to OverviewCarden Hotspots installs and manages guest Wi-Fi for hospitality venues across the UK. Powered by Fydelia.